lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250305101744.1706803-1-vkuznets@redhat.com>
Date: Wed,  5 Mar 2025 11:17:44 +0100
From: Vitaly Kuznetsov <vkuznets@...hat.com>
To: x86@...nel.org,
	linux-efi@...r.kernel.org
Cc: Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	Dave Hansen <dave.hansen@...ux.intel.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	Ard Biesheuvel <ardb@...nel.org>,
	Peter Jones <pjones@...hat.com>,
	Daniel Berrange <berrange@...hat.com>,
	Emanuele Giuseppe Esposito <eesposit@...hat.com>,
	Gerd Hoffmann <kraxel@...hat.com>,
	Greg KH <gregkh@...uxfoundation.org>,
	Luca Boccassi <bluca@...ian.org>,
	Peter Zijlstra <peterz@...radead.org>,
	Matthew Garrett <mjg59@...f.ucam.org>,
	James Bottomley <James.Bottomley@...senpartnership.com>,
	Eric Snowberg <eric.snowberg@...cle.com>,
	Paolo Bonzini <pbonzini@...hat.com>,
	linux-kernel@...r.kernel.org
Subject: [PATCH RFC] x86/efi: Add a mechanism for embedding SBAT section

SBAT is a mechanism which improves SecureBoot revocations of UEFI binaries
by introducing a generation-based technique. Compromised or vulnerable UEFI
binaries can be prevented from booting by bumping the minimal required
generation for the specific component in the bootloader. More information
on the SBAT can be obtained here:

https://github.com/rhboot/shim/blob/main/SBAT.md

Previously, an attempt was made to add ".sbat" section to the linux kernel:

https://lwn.net/Articles/938422/

The approach was rejected mainly because currently there's no policy on how
to update SBAT generation number when a new vulnerability is discovered. In
particular, it is unclear what to do with stable kernels which may or may
not backport certain patches making it impossible to describe the current
state with a simple number.

This patch suggests a different approach: instead of defining SBAT
information, provide a mechanism for downstream kernel builders (distros)
to include their own SBAT data. This leaves the decision on the policy to
the distro vendors. Basically, each distro implementing SecureBoot today,
will have an option to inject their own SBAT data during kernel build and
before it gets signed by their SecureBoot CA. Different distro do not need
to agree on the common SBAT component names or generation numbers as each
distro ships its own 'shim' with their own 'vendor_cert'/'vendor_db'. Linux
upstream will never, ever need to care about the data unless they choose in
the future to participate in that way.

Currently, shim checks .sbat data for itself in self-test and for second
stage bootloaders (grub, sd-boot, UKIs with sd-stub, ...) but kernel
revocations require cycling signing keys or adding kernel hashes to shim's
internal dbx. Adding .sbat to kernel and enforcing it on kernel loading
will allow us to do the same tracking and revocation distros are already
doing with a simplified mechanism, and without having to keep lists of
kernels outside of the git repos.

Finding a place for SBAT section turned out to be a bit tricky. Current
PE layout looks like this:

- without CONFIG_EFI_MIXED:
  +-----------------------------------+-------------------------------+
  | setup            [setup_signature]| compressed text | data [crc32]|
  +-----------------------------------+-----------------+-------------+

- with CONFIG_EFI_MIXED:
  +-------+---------------------------+----------------+-------------+
  | setup | pecompat [setup_signature]| compressed text| data [crc32]|
  +-------+---------------------------+----------------+-------------+

Limitations are:
- To avoid problems with signatures, all sections must be 4k aligned with
  no gaps between them.
- CRC32 must be at the end of the file.
- Nothing can be put before 'setup'.
- Nothing can be squeezed between [setup_signature] and compressed text.
- The whole 'setup' (everything before '.text') must fit into 8 4k pages.

Note: .pecompat contains only 8 bytes of useful data but to save the space,
the tail from .setup including [setup_signature] is also added to it (see
commit 1ad55cecf22f ("x86/efistub: Use 1:1 file:memory mapping for PE/COFF
.compat section")).

With the limitations, there are three straightforward options:
- Put .sbat between .setup and .pecompat. Advantage: with normal sized
SBAT, kernel grows by 1 page only. Disadvantage: this one page comes from
the precious '8 pages' limit.

- Put .sbat to the very end of the file. Advantage: no need to touch
'setup'. Disadvantage: two pages are now needed as we don't want to make
CRC32 part of the SBAT section.

- Put .sbat between '.text' and '.data'. Advantages: no need to touch
'setup' and CRC32. 'CONFIG_EFI_MIXED' case doesn't seem to make much
difference either.

Implement the last one as it doesn't seem to have obvious disadvantages.

Signed-off-by: Vitaly Kuznetsov <vkuznets@...hat.com>
---
RFC part:
- General acceptance of the idea.
- .sbat section placement.

The implementation is done for x86 only at this moment but I think it
shouldn't be that hard to extend it to other arches (and I hope the
solution for those which use common zboot mechanism will be the same).
---
 arch/x86/Kconfig                       | 25 +++++++++++++++++++++++++
 arch/x86/boot/Makefile                 |  2 +-
 arch/x86/boot/compressed/Makefile      |  7 +++++++
 arch/x86/boot/compressed/sbat.S        |  8 ++++++++
 arch/x86/boot/compressed/vmlinux.lds.S |  8 ++++++++
 arch/x86/boot/header.S                 | 21 +++++++++++++++++++--
 6 files changed, 68 insertions(+), 3 deletions(-)
 create mode 100644 arch/x86/boot/compressed/sbat.S

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index be2c311f5118..05069b085663 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2062,6 +2062,31 @@ config EFI_RUNTIME_MAP
 
 	  See also Documentation/ABI/testing/sysfs-firmware-efi-runtime-map.
 
+config EFI_SBAT
+	bool "Embed SBAT section in the kernel"
+	depends on EFI_STUB
+	help
+	  SBAT section provides a way to improve SecureBoot revocations of UEFI
+	  binaries by introducing a generation-based mechanism. With SBAT, older
+	  UEFI binaries can be prevented from booting by bumping the minimal
+	  required generation for the specific component in the bootloader.
+
+	  Note: SBAT information is distribution specific, i.e. the owner of the
+	  signing SecureBoot certificate must define the SBAT policy. Linux
+	  kernel upstream does not define SBAT components and their generations.
+
+	  See https://github.com/rhboot/shim/blob/main/SBAT.md for the additional
+	  details.
+
+	  If unsure, say N.
+
+config EFI_SBAT_FILE
+	string "Embedded SBAT section file path"
+	depends on EFI_SBAT
+	help
+	  Specify a file with SBAT data which is going to be embedded as '.sbat'
+	  section into the kernel.
+
 source "kernel/Kconfig.hz"
 
 config ARCH_SUPPORTS_KEXEC
diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
index 9cc0ff6e9067..73926fc79127 100644
--- a/arch/x86/boot/Makefile
+++ b/arch/x86/boot/Makefile
@@ -75,7 +75,7 @@ $(obj)/vmlinux.bin: $(obj)/compressed/vmlinux FORCE
 
 SETUP_OBJS = $(addprefix $(obj)/,$(setup-y))
 
-sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_e\?data\|z_.*\)$$/\#define ZO_\2 0x\1/p'
+sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_e\?data\|_e\?sbat\|z_.*\)$$/\#define ZO_\2 0x\1/p'
 
 quiet_cmd_zoffset = ZOFFSET $@
       cmd_zoffset = $(NM) $< | sed -n $(sed-zoffset) > $@
diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
index 606c74f27459..aef3e20fdbd4 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -107,6 +107,13 @@ vmlinux-objs-$(CONFIG_UNACCEPTED_MEMORY) += $(obj)/mem.o
 vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o
 vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_mixed.o
 vmlinux-libs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a
+vmlinux-objs-$(CONFIG_EFI_SBAT) += $(obj)/sbat.o
+
+$(obj)/sbat.o: $(obj)/sbat
+targets += sbat
+filechk_sbat = cat $(or $(real-prereqs), /dev/null)
+$(obj)/sbat: $(CONFIG_EFI_SBAT_FILE) FORCE
+	$(call filechk,sbat)
 
 $(obj)/vmlinux: $(vmlinux-objs-y) $(vmlinux-libs-y) FORCE
 	$(call if_changed,ld)
diff --git a/arch/x86/boot/compressed/sbat.S b/arch/x86/boot/compressed/sbat.S
new file mode 100644
index 000000000000..dfa8aeb36660
--- /dev/null
+++ b/arch/x86/boot/compressed/sbat.S
@@ -0,0 +1,8 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Embed SBAT data in the kernel.
+ */
+	.pushsection ".sbat", "a", @progbits
+	.incbin "arch/x86/boot/compressed/sbat"
+	.balign	0x1000
+	.popsection
diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S
index 083ec6d7722a..c93670bac7f8 100644
--- a/arch/x86/boot/compressed/vmlinux.lds.S
+++ b/arch/x86/boot/compressed/vmlinux.lds.S
@@ -43,6 +43,14 @@ SECTIONS
 		*(.rodata.*)
 		_erodata = . ;
 	}
+#ifdef CONFIG_EFI_SBAT
+	.sbat : ALIGN(0x1000) {
+		_sbat = . ;
+		*(.sbat)
+		_esbat = . ;
+	}
+	ASSERT((_esbat % 0x1000) == 0, "SBAT section end is not page-aligned!")
+#endif
 	.data :	ALIGN(0x1000) {
 		_data = . ;
 		*(.data)
diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
index b5c79f43359b..38ce62ef89d9 100644
--- a/arch/x86/boot/header.S
+++ b/arch/x86/boot/header.S
@@ -183,9 +183,9 @@ pecompat_fstart:
 	.byte	0
 	.byte	0
 	.byte	0
-	.long	ZO__data
+	.long	text_fsize
 	.long	setup_size
-	.long	ZO__data			# Size of initialized data
+	.long	text_fsize			# Size of initialized data
 						# on disk
 	.long	setup_size
 	.long	0				# PointerToRelocations
@@ -196,6 +196,23 @@ pecompat_fstart:
 		IMAGE_SCN_MEM_READ		| \
 		IMAGE_SCN_MEM_EXECUTE		# Characteristics
 
+#ifdef CONFIG_EFI_SBAT
+	.ascii ".sbat\0\0\0"
+	.long	ZO__esbat - ZO__sbat		# VirtualSize
+	.long	setup_size + ZO__sbat		# VirtualAddress
+	.long	ZO__esbat - ZO__sbat		# SizeOfRawData
+	.long	setup_size + ZO__sbat		# PointerToRawData
+
+	.long	0, 0, 0
+	.long	IMAGE_SCN_CNT_INITIALIZED_DATA	| \
+		IMAGE_SCN_MEM_READ		| \
+		IMAGE_SCN_MEM_DISCARDABLE	# Characteristics
+
+	.set	text_fsize, ZO__sbat
+#else
+	.set	text_fsize, ZO__data
+#endif
+
 	.ascii	".data\0\0\0"
 	.long	ZO__end - ZO__data		# VirtualSize
 	.long	setup_size + ZO__data		# VirtualAddress
-- 
2.48.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ